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(54) Preventing fraudulent access in a conditional access system 

(57) A receiver/decoder is programmed only to 
accept a current entitlement control message (EMM) if it 
has received at least a previous EMM of a previous cal- 
endar period. When this is received, it is used to check 
present rights in the receiver/decoder. The invention 
prevents an original subscriber from fraudulently obtain- 
ing rights by disconnecting a decoder (before an author- 
ising message can update the decoder's memory to 
prevent decryption) and by reconnecting the decoder 
(so as to be mistaken for a new subscriber legitimately 
having those rights). 
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Description 

The present invention relates to a method of and 
apparatus for preventing fraudulent access in a condi- 
tional access system linked to a subscriber's 
receiverAlecoder. The technique may be used in the 
field of data communication where transmitted 
encrypted data is received and decrypted by, for exam- 
ple, an authorised subscriber's receiver/decoder. 

The term "receiver/decoder" used herein may con- 
note a receiver for receiving either encoded or non- 
encoded signals, for example, television and/or radio 
signals. The term may also connote a decoder for 
decoding received signals. Embodiments of such 
receiver/decoders may include a decoder integral with 
the receiver for decoding the received signals, for exam- 
ple, in a "set-top box" or such a decoder functioning in 
combination with a physically separate receiver. 

The receiver/decoder is stated above as being 
"linked to" the conditional access system, which 
includes the possibilities that the receiver/decoder 
either forms part of or is separate from the conditional 
access system. 

In particular, but not exclusively, the invention may 
be used in a mass-market broadcast system having 
some or all of the following preferred features. It may be 
an information broadcast system, preferably a radio 
and/or television broadcast system; it may be a satellite 
system (although it could be applicable to cable or ter- 
restrial transmission); it may be a digital system, prefer- 
ably using the MPEG, more preferably the MPEG-2, 
compression system for data/signal transmission; it may 
afford the possibility of interactivity; and it may use 
smartcards. Again, the invention may be used in con- 
junction with a digital audio visual transmission system. 
In the context of the present invention the term "digital 
audio visual transmission system" refers to all transmis- 
sion systems for transmitting or broadcasting primarily 
audio visual or multimedia digital data. Whilst the 
present invention is particularly applicable to a broad- 
cast digital television system, the present invention may 
equally be used in filtering data sent by a fixed telecom- 
munications network for multimedia internet applica- 
tions etc. 

As used herein, the term "smartcard" includes, but 
not exclusively so, any chip-based card device possess- 
ing, for example, microprocessor and/or memory stor- 
age. Also included in this term are chip devices having 
alternative physical forms, for example key-shaped 
devices such as are often used in TV decoder systems. 

The term MPEG refers to the data transmission 
standards developed by the International Standards 
Organisation working group "Motion Pictures Expert 
Group" and in particular but not exclusively the MPEG- 
2 standard developed for digital television applications 
and set out in the documents ISO 13818-1, ISO 13818- 
2. ISO 13818-3 and ISO 13818-4. In the context of the 
present patent application, the term includes all vari- 



ants, modifications or developments of MPEG formats 
applicable to the field of digital data transmission. 

An aim of the invention is to provide a data commu- 
nication method, transmitter and receiver/decoder 
5 which can be used to provide data to. for example, sub- 
scribers or other buyers of reception rights on a secure 
basis. 

In existing broadcasting systems, a smartcard is 
used by a subscriber to obtain the reception right and it 

10 has been found pursuant to the present invention that 
there is a problem of preventing misuse of the card to 
defraud the owner of the rights. 

For example, in a known MPEG television sub- 
scriber system, the rights of different subscribers or 

15 groups of subscribers can be checked centrally, for 
instance on a monthly basis, and an authorising mes- 
sage can be subsequently sent, from a central station, 
to each subscriber or group of subscribers to authorise 
(or to block) use of the rights. Suitably, the authorising 

20 message is simply a "1 " or "0" located in different bitmap 
positions which have been assigned to respective sub- 
scriber identities for the month, only the presence of a 
"1" authorising use of the right for the subscriber at the 
respective bitmap position, a "0" denying use of that 

25 right. 

The following problem with this system has been 
identified pursuant to the present invention. If, for exam- 
ple, the original subscriber ceases payment for the right, 
after a lapse of time, the system will no longer identify 

30 the original subscriber at the previously assigned bit- 
map position and this position may then be newly 
assigned to the identity of a "new" subscriber. If the new 
subscriber has paid for and hence been authorised to 
use the right, there will be a "1" again in the bitmap posi- 

35 tion. If, at the "original" subscriber s receiver/decoder, 
the decoder is disconnected before the next authorising 
message can update a linked conditional access sys- 
tem (associated with the "original subscriber") and if the 
decoder is later reconnected (or rf a clock is re-set), the 

40 "original" subscriber will then be mistaken for the "new" 
subscriber who has been authorised to use the right 
and the "original" subscriber will thereby fraudulently 
obtain the right. 

The present invention seeks to solve this problem 

45 and other similar or related problems where subscriber 
rights may be granted over periods of time which may 
depend typically, but not exclusively, on settling 
accounts. For example, rights may be granted for con- 
siderations other than payment where different sub- 

50 scribers can be authorised to use a system to gain 
access to a secure area, or to secure information, or to 
some other secure service. 

In the context of the present invention the terms 
"EMM" and "ECM" are utilised. 

55 An Entitlement Management Message or EMM is a 
message designated to one subscriber or to a group of 
subscribers. It is usually generated by a subscription 
authorisation system and is multiplexed with an MPEG- 
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2 stream. It is usually encrypted with a so-called "man- 
agement" key for example for group use. Hence it may 
be encrypted by a key common to all subscribers in a 
group of subscribers. 

An Entitlement Control Message or ECM is a mes- 5 
sage sent in relation with one scrambled program. The 
ECM enables a user to descramble a control word to 
obtain the right to descramble a television (or similar) 
programme. A key (termed herein an "ECM key") is 
passed through the EMM to a subscriber because the io 
smartcard used by the subscriber needs the ECM key to 
decipher the ECM. The deciphered ECM is used to 
descramble the control word and hence to descramble 
the programme. 

According to one aspect of the present invention 15 
there is provided a method of preventing fraudulent 
access in a conditional access system which is linked to 
a subscriber's receiver/decoder for receiving an entitle- 
ment management message (EMM) for a group of sub- 
scribers to enable said system to provide access for a so 
respective subscriber, the method including the step of: 

programming the receiver/decoder only to accept a 
current EMM of a cunent calendar period if it has 
received at least a previous EMM of a previous cal- ss 
endar period. 

Hence the problem of preventing fraudulent access 
can be solved. 

The method preferably further comprises the steps 30 

of: 

transmitting redundant date information with the 
current EMM; and receiving the current EMM and 
using redundant date information to check whether 35 
said previous EMM has been received. 



indicate the rights for the current month. In this case, 
when the current EMM is received by the decoder, the 
redundant date information, e.g. the "previous" ECM 
key, would be that of the immediately preceding month. 
However, it is not essential to have sequential periods, 
since the "current" and "previous" periods may be non- 
adjacent in time and there could be irregular amounts of 
real time between such periods. Typically, nonetheless, 
the previous EMM is for an immediately preceding cal- 
endar period, and the periods are sequential. 

When there are changes in subscriber rights, it is 
preferable to include, in the current EMM. a subscriber 
bitmap having positions representing subscription rights 
of the subscribers in the group. However, this is unnec- 
essary in situations where all subscribers are author- 
ised, for example, where all subscribers have paid their 
subscriptions for the respective calendar period; hence 
this may only occur when there are changes in sub- 
scriber rights. 

According to another aspect of the invention, there 
is provided a transmitter for use in a method of prevent- 
ing fraudulent access in a conditional access system 
which is linked to a subscriber's receiver/decoder for 
receiving an entitlement management message (EMM) 
for a group of subscribers to enable said system to pro- 
vide access for a respective subscriber, the 
receiver/decoder being programmed only to accept a 
current EMM of a current calendar period rf it has 
received at least a previous EMM of a previous calendar 
period, the transmitter including: 

means for transmitting redundant date information 
with a current EMM of a current calendar period so 
that the redundant date information can be used by 
the receiver/decoder to check whether said previ- 
ous EMM has been received. 



In a first preferred embodiment each EMM con- 
tains rights date information concerning a current right 
of access and corresponding check date information 
concerning a previous right of access, such check date 
information constituting the redundant date information. 
This can be a particularly efficient way of putting the 
invention into practice- 
In a second preferred embodiment, the redundant 
date information is an ECM key of a previous calendar 
period. This is a convenient alternative way of repre- 
senting such information. 

The subscriber rights may change on a regularly 
timed basis and the redundant date information may 
concern an immediately preceding period. 

In one illustrative example of the invention, wherein 
the receiver/decoder is one of a plurality of 
receiver/decoders in a broadcast system, the subscrib- 
ers need to have paid for a current month for the right to 
receive a program or programs and the subscriber 
rights could change on a monthly basis (since some 
may not have paid). The bitmap may then be used to 



Each EMM preferably contains rights date informa- 
tion concerning a current right of access and corre- 

40 sponding check date information concerning a previous 
right of access, such check date information constituting 
the redundant date information. After natively, the redun- 
dant date information may be an ECM key of a previous 
calendar period. 

45 According to another aspect of the invention, there 
is provided a receiver/decoder for use in a method of 
preventing fraudulent access in a conditional access 
system, the receiver/decoder being linked to the condi- 
tional access system and being provided for receiving 

so an entitlement management message (EMM) tor a 
group of subscribers to enable said system to provide 
access for a respective subscriber, the receiver/decoder 
including: 

55 means programmed only to accept a current EMM 
of a current calendar period if it has received at 
least a previous EMM of a previous calendar 
period. 
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14. A receiver/decoder according to Claim 12 or 13 
wherein the redundant date information is an ECM 
key of a previous calendar period. 
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Fig.2. 
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Fig.4. 
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Fig.5. 
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